216.73.217.98

CVE-2025-13742

· Published 27/11/2025 11:15 · Modified 01/12/2025 15:39

Labels: CVE-2025-13742 2025-11-27655498c3-6ec5-4f0b-aea6-853b334d05a6CVE-2025-13742CWE-116

Essential information

Published
27/11/2025 11:15
Modified
01/12/2025 15:39
Author
Creator
CVSS
2.4 LOW (v3) 2.4 LOW (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing.

NVD status

Status
Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
655498c3-6ec5-4f0b-aea6-853b334d05a6
NVD
View on NVD

References